Down the Security Rabbithole, The BlogThis is a collection of my thoughts and ideas, and anything expressed here is unrelated to anything in real life and does not represent opinions of clients, employers or colleagues. If it feels a little bit like stream-of-consciousness, it probably is.

Wednesday, July 9, 2008

Finally after all these years of talk - Domain Keys

Dancho Danchev over at ZDNet posted up a story today which I thought warranted more attention and discussion from a slightly different angle.

First though, if you don't know what Domain Keys is, as it applies to email, here's the definition:

An e-mail authentication method that computes a digital signature which is added to the message header. The receiving mail server obtains the sender's public key from the DNS system to validate the signature. In 2004, Yahoo! began to sign all outgoing mail with DomainKeys headers.

Now... in the face of this large-scale implementation from Google, eBay and PayPal (the most phished brands on the Internet) it would almost seem obvious that this system should have been put in place years ago - at it is clearly proving to be worth the effort. False-positive rates are zero (is it even possible to fake a digital signature?), email SPAM/Phishing traffic is cut by a large chunk - so we ask ourselves... why isn't everyone doing it?

Much like DNSSEC (DNS Secured) it's simply a matter of implementation on a large scale, and the added overhead from the security verification operations. But I would say this to those who are thinking about implementation... there are two sides to this operation. The side that signs it (the verified sender) and the side that reads it and throws away/rejects the non-signed emails (receiver/email host). Obviously, in order to make this all happen large-scale email hosting providers (such as ComCast, Verizon, SBC/AT&T, and the like) would have to turn on filtering for messages that are non-signed. Interesting.

Here's how this works in real-life...

Company A decides it's sick of its users being phished, and implements DomainKeys/DK

Company A then has to contact all email hosting providers that their users primarily use (that it's practical to reach) and alerts them to only accept signed (authenticated) emails

Email hosts start to filter and throw away phishing/spam email

The magic step of course is #2... you can't just implement Domain Keys and expect phishing for your domain to "go away"... so this is a solution for the large mail providers - and not the masses. I agree it's definitely a step in the right direction, and it would be wonderful if we could just make DomainKeys a mail standard (no Domain Keys, no email transport/relay) but that's just not practical.

So while we try and solve the SPAM/phishing debacle, DomainKeys (and GMail and Yahoo! Mail) take us one step closer...

No comments:

About Me

Technology is pushing us along and becoming pervasive in our lives orders of magnitude faster than we can fully comprehend the ramifications of these changes.

Technology promises to change our lives, but at what price? The more heavily our daily lives rely on technology the greater the impact of a breach or a malicious attack. Our toasters can't kill us ... yet, but I suspect the day is coming.

As someone who has been involved in the defensive enterprise side of security for well over a decade, I emplore you to join me and focus our efforts on building better, more resilient systems which can not only support and enrich our lives, but also stand up to misuse and attack better.

Remember, prevention is a myth the snakeoil sales man sells. Real security comes from the ability to detect, respond, and resolve critical issues in a meaningful way.